On Thu, Jul 09, 2026 at 10:52:04PM +0000, [email protected] wrote: > > commit 96cce16e26dd02a8678f1e87f88a4b5cdb63b995 upstream. > > The BPF JIT allocator packs many small programs into larger executable > > allocations and reuses space within those allocations as programs are > > loaded and freed. When fresh code is written into space that a previous > > program occupied, an indirect jump into the new program can reuse a branch > > prediction left behind by the old one. > > Flush the indirect branch predictors before reusing JIT memory so that > > indirect jumps into a newly written program don't reuse predictions from an > > old program that occupied the same space. > > Introduce bpf_arch_pred_flush_enabled static key and bpf_arch_pred_flush > > static call for flushing the branch predictors on JIT memory reuse. > > Architectures that need a flush, can update it to a predictor flush > > function. By default, its a NOP and does not emit any CALL. > > Allocations larger than a pack are not covered by this flush. That is safe > > because cBPF programs (the unprivileged attack surface) are bounded well > > below a pack size. Issue a warning if this assumption is ever violated > > while the flush is active. > > Signed-off-by: Pawan Gupta <[email protected]> > > Acked-by: Daniel Borkmann <[email protected]> > > Signed-off-by: Daniel Borkmann <[email protected]> > > The reuse path this patch hardens (bpf_prog_pack_alloc() finding a free > area within a pack, and the size > BPF_PROG_PACK_SIZE branch) comes from > the pack allocator that first packed many programs into shared executable > allocations and reused freed space within a pack. > > Should this carry a Fixes: tag pointing at that commit? > > Fixes: 57631054fae6 ("bpf: Introduce bpf_prog_pack allocator")
It doesn't add much value. This commit insn't really buggy, it needs no fix for the eBPF. The fact that cBPF is unprivileged, opens a window for a JIT spraying attack. Also, the the patch is a backport, so it should stay close to upstream.
